Computing Reviews
Today's Issue Hot Topics Search Browse Recommended My Account Log In
Review Help
Search
Computer security and the Internet
van Oorschot P., Springer International Publishing, New York, NY, 2020. 387 pp. Type: Book (978-3-030336-48-6)
Date Reviewed: Jan 6 2021

Paul C. van Oorschot is a master who has made many diverse contributions to computer system security (very much including systems connected by the Internet), from applied cryptography to system usability. This range is a strength of the book: while it is obvious that a usable system that is cryptographically insecure is bad, a system that is cryptographically secure but too hard to use is equally bad and will lead to well-known disasters like passwords on Post-its. As the author asks early on: what use is password strength and changing policy that saves $1000/month if it costs $2500/month in help desk time?

A particular strength here is the use of physical analogies to illustrate key ideas, for example, a hotel room safe (is the threat a thief or the staff?). There is no cookbook for building secure systems, not least because the threat model varies (a topic discussed early on) and is part of the definition of “secure.” However, Section 1.7 has a very useful list of 20 design principles. This is marked as “readers may omit on first reading.” It’s actually quite hard to read at first if you are new to the field, but if I were teaching out of this book, I would use it as an end-of-course summary, as well as a checklist for designs.

The book is extremely pragmatic, listing problems, solutions, and (when appropriate) why those solutions aren’t working, or at least aren’t working as well as one would like. This is a perennial problem in security: old issues that “everyone knows to avoid” keep cropping up, with SQL injection as the poster child. Here I think the author could have gone further and pointed out the major issue: new developers are not taught the things “everyone knows” (see [1] for an analysis of the lack of SQL injection coverage in major textbooks).

Chapter 2, “Cryptographic Building Blocks,” steers an excellent middle course between detail and “magic.” It’s almost identical to the corresponding section in my own lectures, with the only difference being that I talk here about specialist hash functions for password protection. The author mentions it in chapter 3, but there is no cross-reference.

Chapter 3, on user authentication, is again very pragmatic. The author’s discussion of biometrics is more balanced than much of the hype one typically sees: “the security of biometrics is often overstated.” This is certainly true. I usually quote [2], which explains that a “fingerprint” reader is actually a “lots-of-small-bits-of-fingerprints” reader.

Chapter 8 on public key infrastructure (PKI) and certificates is good, and goes deeper than I do in my lectures. This will be further reading for my students.

Chapter 9, “Web and Browser Security,” assumes some prior knowledge. The author has gone for a six-page whistle-stop-tour approach, without many references. This is a valid approach, but instructors using this text will have to find appropriate sources to fill the gaps.

Is this book complete? No. Is there a part I would cut to make room for something else? Not really, though I might change the emphasis. Will I recommend it to my students? Yes.

Reviewer:  J. H. Davenport Review #: CR147154 (2107-0180)
1) Taylor, C.; Sakharkar, S. ');DROP TABLE textbooks;--: an argument for SQL injection coverage in database textbooks. ACM Inroads 10, 2(2019), 58–64.
2) Bontrager, P.; Roy, A.; Togelius, J.; Memon, N.; Ross, A. DeepMasterPrints: generating MasterPrints for dictionary attacks via latent variable evolution. In 2018 IEEE 9th International Conference on Biometrics Theory, Applications and Systems IEEE, 2018, https://doi.org/10.1109/BTAS.2018.8698539.
Bookmark and Share
  Featured Reviewer  
 
Security and Protection (K.6.5 )
 
 
Security and Protection (C.2.0 ... )
 
Would you recommend this review?
yes
no
Other reviews under "Security and Protection": Date
CIRCAL and the representation of communication, concurrency, and time
Milne G. ACM Transactions on Programming Languages and Systems 7(2): 270-298, 1985. Type: Article
Oct 1 1985
Computer security risk management
Palmer I., Potter G., Van Nostrand Reinhold Co., New York, NY, 1989. Type: Book (9780442302900)
Apr 1 1991
Computers at risk
, National Academy Press, Washington, DC, 1991. Type: Book (9780309043885)
Oct 1 1991
more...

E-Mail This Printer-Friendly
Send Your Comments
Contact Us
Reproduction in whole or in part without permission is prohibited.   Copyright 1999-2024 ThinkLoud®
Terms of Use
| Privacy Policy